You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (JIRA)" <ji...@apache.org> on 2018/02/06 12:41:02 UTC

[jira] [Created] (OFBIZ-10206) Security issue in Token Based Authentication

Jacques Le Roux created OFBIZ-10206:
---------------------------------------

             Summary: Security issue in Token Based Authentication
                 Key: OFBIZ-10206
                 URL: https://issues.apache.org/jira/browse/OFBIZ-10206
             Project: OFBiz
          Issue Type: Bug
          Components: framework
    Affects Versions: 17.12.01
            Reporter: Jacques Le Roux
            Assignee: Jacques Le Roux


The version I commited so far in OFBIZ-9833 has a small security issue.

I added the JWT (JSON Web Token [https://fr.wikipedia.org/wiki/JSON_Web_Token]), which guarantees an exchange between 2 servers. But the way I used it did not prevent from changing the parameter externalServerLoginKey in the URL. Note that this is only possible from the server where the JWT was sent from. This is still a risk (minor) if an unauthorized and malicious person managed to gain access to the backend of the source server.

The flaw is that I was using a query parameter in the ContextFilter. doFilter () wrapper where the JWT is created.

I just replaced it with an autoLoginCookie reading on the source server. I would have preferred to use the session, but when creating the JWT, the session contains neither userLogin nor userLoginId. I also need the source server webapp to read the autoLoginCookie. The webapp must therefore be passed as a new parameter in the query. On the target server I use a userLoginId reading from the JWT and no longer from the request, that was the goal I missed!

I have secured all cookies with OFBIZ-6655, so an autoLoginCookie can only be created or updated when creating the session on the source server. However, autoLoginCookies have a lifetime of one year and are not deleted during a logout. So an autoLoginCookie of another webapp (webapp passed in parameter thus modifiable in the URL) could in theory be used to force another loginUser contained in the autoLoginCookie of this other webapp.

I think that this lifespan may make sense for frontends (ecommerce, ecomseo, webpos), which have their own logout and where I suppose this feature (from ecommerce in fact) comes to keep a customer's memory. For the backend I don't see the interest also I propose to delete autoLoginCookies to the logout on backend. For that I'll reopen and use OFBIZ-4959 that I closed as incomplete.

I will commit an improved version in the trunk that I have tested locally with 2 different webapps but still have to test on 2 servers. I'm going to do it using the trunk demo from my machine.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)